https://idp.wikimedia.org supports u2f tokens which are being used by a number of employs on a trial basis and things work well. however there are still some gaps in our policy and processes such as
- how do we deal with a user that has lost there token (validating them, getting them a new token)
- Will we support additional MFA options such as webauthn/TOTP
- will we support Mobil devices
- Will we mandate MFA for all groups of users, services, everyone
We need to consider this issues and document some policies and processes before we should consider rolling MFA out more generally.